Cybersecurity

Wolves With Fancy Binoculars: The Salesforce Sky Pasture Reconnaissance Crisis Nobody Wanted

Victor Woolridge

2 min read
Wolves With Fancy Binoculars: The Salesforce Sky Pasture Reconnaissance Crisis Nobody Wanted

I will be honest with you. When I first read this report, I put it down, made myself a cup of tea, and stared out the window for a full three minutes. Not from shock. From exhaustion.

The wolves have taken a legitimate developer inspection tool, AuraInspector, modified it like a stolen car with the plates filed off, and are now using it to mass-scan Salesforce Experience Cloud deployments for misconfiguration. They are extracting CRM data. Customer names, phone numbers, contact records. All of it. Scooped out like grain from an unlatched silo.

And what are the Shepherds doing? Presumably approving budget requests for a second Sky Pasture migration. Wonderful.

For those unfamiliar: AuraInspector is a browser extension designed for legitimate Salesforce development. It is a perfectly reasonable tool in the hands of a competent engineer. In the hands of a coyote, it becomes a very efficient set of binoculars pointed directly at your flock. The modified version automates scanning at scale, identifying Salesforce Experience Cloud sites where guest user access has been configured with the careless optimism of someone who has never once read a security policy.

The extracted data then feeds directly into vishing campaigns. Targeted voice calls. The wolf phones your lambs, knows their name, their account details, sounds completely plausible, and walks right through the front gate. In my day, social engineering required effort. Now it is a spreadsheet and a phone.

I would also like to formally register my contempt for the phrase "misconfigured guest access." This is not a misconfiguration. This is negligence with a user-friendly interface. The Sky Pasture vendors made it far too easy to leave the gate open while calling it a "feature."

Magnetic tape never had a guest access toggle. I am simply noting that.

Remediation

Right. Pay attention, because I will not repeat myself.

Audit your guest user permissions in Salesforce Experience Cloud. Today. Not Friday. Today. Guest profiles should have access to precisely nothing they do not absolutely require. Apply the principle of least privilege as if your career depends on it, because statistically, it does.

Review your AuraInspector and browser extension policies for anyone with Salesforce admin access. Unauthorized or modified extensions on developer machines are a hole in the fence waiting to be found.

Enable Salesforce Shield or equivalent logging so you can actually see when something is scanning your fields at three in the morning.

Brief the flock on vishing. A phone call that knows your account number is not a trustworthy phone call. This is not complicated. It is just unpopular to say.

And for the love of all things sensible, run a configuration health check. Most of the major Sky Pasture vendors provide them for free. There is no excuse.

Stay paranoid, stay patched, and maybe read the documentation for once.

Original Report: https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html